from theory to reality: building a secure cloud ... · protect ip, data and differentiated business...
TRANSCRIPT
From Theory to Reality: Building a Secure Cloud Environment
for Diagnostic Imaging
Kristina Kermanshahche Chief Architect, Healthcare
Intel Corporation February 2012
Patrick Koch Business Director, WW Vue Cloud Services Carestream Health
Agenda
• Intel Secure Healthcare Cloud: • Healthcare & Cloud Computing Trends • Core Requirements & Design Considerations • Strategy for Adoption • Technology-Differentiated Services
• Carestream Cloud-Based Diagnostic Imaging:
• Challenges & Benefits • Industry proof points and usage models • Architecture & Infrastructure • Demo
2
Healthcare & Cloud Computing Trends
3
Evolution of the Datacenter
Cloud Infrastructure
Network Storage Compute
Security
Datacenter facilities (e.g. cooling, power) Compute Network Storage
Management Unified Network
Servers Storage Arrays
Mgmt
VM VM VM VM
Discrete Datacenter
Virtualized Datacenter
Cloud Datacenter
Efficient and Secure Open Architecture Flexible Network Flexible Management
10G Unified Network Consolidation Discrete networks
4
• Enormous economies of scale • Efficiencies in size; buying power, infrastructure, power consumption • Unparalleled resource utilization
Efficiency
Agility
Availability
Services
• Improve provisioning time from days to hours • Automate workflows to enable consistency, agility and elasticity • Pay for the resources you actually use
• Deliver high availability for all workloads, regardless of location • Protect IP, data and differentiated business processes • Provide secure, broad network access on authenticated devices
• On demand, self-service portal to streamline business processes • Establish measured services for VM utilization, health and usage • Apply actual application consumption for IT capacity management
High-Level IT Strategies and Goals Business Benefits
Healthcare Utility &
Value-Add Services
• Address scarcity by effective allocation of resources & expertise • Leverage ecosystem for non-core competencies, achieve
economies of scale • Accelerate standards adoption through lower barriers to entry • Build the network value model of exchange
Cloud Computing Business Drivers
5
The Rise of Healthcare “Big Data”
6
• Diagnostic Imaging
– Average hospital requires 175TB for images & clinical records. Consumes additional 15 TB annually1. Data archive for 20+ years.
– In 2006, primary copy storage for all U.S. imaging = 24 Petabytes (assumes no duplication for RAID, archive, disaster recovery)2
– By 2014, US primary copy storage expected to reach 100 Petabytes2
• Genomic Data
– The Human Genome consists of 3 billion base pairs, unannotated, requires 3 Gb of storage uncompressed3
– In 2007, Baylor College of Medicine required 125 TB, with projected 25-fold increase in storage over the following two year period4
– Digital data projected to reach 35 Zettabytes by 2020, a 44-fold increase from 20095
1 John Halamka, CIO, Beth Israel Deaconess, http://geekdoctor.blogspot.com/. 2 “Prepare for Disasters and Tackle Terrabytes When Evaluating Medical Imaging Archiving,” ©2008 Frost & Sullivan. 3 Human Genome Project FAQs, http://www.ornl.gov/sci/techresources/Human_Genome/faq/faqs1.shtml. 4 Baylor College of Medicine, Human Genome Sequencing Center, http://www.cwhonors.org/viewCaseStudy.asp?NominationID=340. 5 IDC Digital Universe Study, sponsored by EMC, May 2010
Core Requirements & Design Considerations
7
Neurosurgeon views imaging studies, latest lab results; consults with Radiologist, Specialists
Specialists agree on treatment plan with Neurosurgeon& Radiologist
Patient arrives at ER with complications from brain tumor
Radiologist analyzes current MRI, compares with prior imaging study from remote hospital
ICU nurses view imaging studies, update chart with patient vital signs, status
Cloud Vendor Neutral Archive
Care Coordination Use Case
Smart Phone
Shared Workstation
Laptop
Operating Room Radiology Emergency Room
Client-Aware Cloud
Trust Broker
Intensive Care Neurology
1 2 3 4 5
8
Barriers to Healthcare Cloud Adoption
• Data protection and regulatory compliance require data transparency • May prevent PHI from being hosted in another country • May restrict or prohibit trans-border flow of information
• Onsite data centre audits may be impractical for cloud providers • SAS 70 Type II/SSAE16 certification, ISO/IEC 27001 • EU Directive 95/46/EC or HIPAA-compliant cloud providers
• Service-model dependent • Provisioning & automation software built against proprietary APIs • Cost of entry may be low, cost of exit may be high
High-Level IT Areas of Concern Business Concerns
• Must protect sensitive information at rest and in transit • Costs associated with data breach are rising • Cloud services and virtualization break traditional perimeter-oriented security techniques
Vendor Lock-in
Auditability & Compliance
Data Transparency
Security & Privacy
9
General Deployment Considerations Availability
– Service Level Agreements, Recovery Time Objective (RTO), Recovery Point Objective (RPO) – Application Architecture, Fault Tolerance, Network Design – Business Continuity / Disaster Recovery plans
Network Design – Network dependency / carrier diversity – Suitable, geographically-dispersed, failover data centers
Performance – Workload peak/min sizes & variability, network bandwidth, performance constraints – Monitoring, Notifications & Alerts – Start-up costs (cloud on-boarding) & risks of vendor lock-in
Regulatory – Data Protection Regulations & Locale Constraints – Data Loss Prevention, Breach Notification – Independent Attestation
Security – Defense-in-depth, boundary controller, secure perimeter requirements – Multi-tenancy risks & benefits, application security, end-to-end security model – Isolation vs. efficiency (security vs. cost tradeoff) – Administrative, Physical and Technical Controls
Governance – Availability of IT expertise, Training & Employee Policy – Security & Privacy policies, governance – Risk Assessment & Mitigation
10
Secure Healthcare
Cloud:
Strategy for Adoption
11
What is Secure Healthcare Cloud?
• Strategy for adoption with phased implementation • Best practices, standards and technologies • Design principles, deployment considerations, and
governance models • Worldwide program, key learnings, virtualization labs • Industry alliances including:
– Intel® Cloud Builders – Open Data Center Alliance (ODCA) – European Network & Information Security Agency (ENISA) – Cloud Security Alliance (CSA)
• Comprehensive set of latest security technologies & solutions covering end-to-end cloud deployment models
• Robust set of ecosystem partners to deliver complete solutions
12
Secure Healthcare Cloud Defining Characteristics Highly Available
– Designed for failure, mitigate risk of data loss, minimize potential for business disruption, tiered service levels, mutually contracted SLAs
– Geo-dispersed data centers, redundant and diverse network carriers – Failover/load balancing, stress testing for scalability and performance
Highly Secure – End-to-end security design, assess the risk profile of backend systems, the network,
identity assurance levels, and potential endpoint devices – Multi-Tenancy by design. Designed for breach and other failures, establishing a multi-
layer and defense-in-depth approach – Physical, technical and administrative controls including application security and
identity management, encryption at rest and in transit, provisioning, and backup, loss recovery, and secure destruction
– Compliance with international regulations on safe handling of protected information
Highly Transparent – Data federation services which isolate, secure, enforce sensitive workloads, as well as
establish evidence of consistent management practices – Independent attestation of security profile of underlying hosting environment, evidence
of consistent policy and security enforcement – Compliance with international audit standards
13
Adopting Secure Healthcare Cloud Current
Private Networks
Build/Grow Network of Private Clouds
External: Internet
Business Core
Utility • Identity Service • Controlled Terminology Service
• Clinical Data Repository
• Transformation & Normalization
SaaS • Scheduling/Triage • EHR • Care Coordination • ePrescribing • ePathology • Life Sciences – private / academic
Legacy Environments Internal Clients
External Clients
Utility
Interim Private + Limited Public Cloud
Federated Query/Identity
External: Internet
Utility • Service Directory • Record Locator • Trust Fabric with trading partners
• EHR Portals • Orchestration • Mediation
SaaS • Claims Processing, Adjudication
• Disease Registries • Knowledge Base • Public Health • Diagnostic Imaging
• Quality Reporting
Legacy Environments Internal Clients
External Clients
Trading Networks
Utility + Service
Future
External: Internet
Ubiquitous Hybrid Health Cloud
Utility • Master Consent & Authorization
• Broad Deployment Trust Fabric
SaaS • Clinical Decision Support
• Disease Mgmt • Secondary Use • Clinical Trials • Translational Medicine
Network Effect Drives Innovation
Legacy Environments Internal Clients
External Clients
Value-Add Data
Services
Trading Networks
Overcome scarcity by leveraging expertise and capacity in the cloud
14
Technology-Differentiated Services
15
16 * Other names and brands may be claimed as the property of others. Copyright © 2009, Intel Corporation.
Architect for the Cloud Today
Efficient World class energy
efficiency Open Multi-vendor
innovation with compatibility of
solutions
Secure Data protected at rest and in transit
Simplified Flexible IA
infrastructure and unified networking
Driving Technology Leadership to Enable the Cloud
Refresh with Intel® Xeon® 5600 and
Node Manager Deploy interoperable solutions and support
standards
Intel Trusted Execution and Virtualization
Technologies
Intel® Xeon® for servers & storage
Deploy 10GbE
Healthcare Big Data Moves to the Cloud
10TBs of Diagnostic Images for one type of test No encryption No data protection No Federation Forklift for capacity
Compression 50% savings1
Erasure code 29% savings1 Deduplication capabilities savings up to 70%1
The cloud provides cost efficient capacity scaling
data upload
data store
encryption algorithm
dedupe algorithm
compression algorithm
Intel® Xeon® Enables: Dynamically Available Capacity-scale to the cloud Added Data Protection & Sophisticated Capabilities Federated Data Access Across Medical Networks
erasure coding algorithm
Efficiency & Scalability 79% Disk Savings1
Medical Imaging
1 Intel calculations based on industry numbers for compression & erasure code
17
Ubiquitous Data Protection with Intel® AES New Instructions
Secure transactions used pervasively in e-commerce, banking, etc. 1 Full disk encryption software protects data automatically during saving to disk 2 Most enterprise applications offer options to use encryption to secure information 3
Internet Intranet
Secure transactions on Internet and Intranet
Full-disk encryption protects data on hard disks
Application-level encryption for automation and granularity
Name: J.Doe
SS# �ζ…χ∀∃
2
1
3
Allows broader use of encryption for better protection of sensitive health information
18
Carestream Cloud-Based Diagnostic Imaging
19
(Some of) CIO’s issues with their imaging IT
• Ensure Availability of Patient Data over a Lifetime
• Manage Unpredictable TCO with Unexpected CAPEX
• Enable Physicians Collaboration across Sites & Systems
20
How Do You Care For Your Data ?
© 2011, Carestream Health
• Is Your Infrastructure capable of hosting your data securely on-premises? (power redundancy, air/con, security, fire detection & extinction, etc)
• Is Your IT Team adequately skilled and staffed to adapt to ever changing retention and security requirements ?
• Is Your Architecture protected against technology obsolescence across the lifetime of data ?(software, servers, storage, etc)
21
Does Your PACS [Archive] Cost You Too Much ?
• Continuous expansion of storage capacities to absorb the exploding production of imaging data
• Upfront capital investment in capacities which stay unused and idle during most of their lifetime • Unpredictable Total Cost of Ownership over the lifetime of data (Investment, Maintenance, Expansion, Migration, Replacement)
22
Are Your Physicians Able to Share & Collaborate ?
• Ever frequent demand to get faster results on-site or on-the-go
• Integrate radiology workflow between disparate legacy imaging systems across multiple distant locations.
• Simple single-point of access to patient’s imaging record across the continuum of care for the community
23
© 2011, Carestream Health
Vue Cloud Now Introducing…
LIBERATING TECHNOLOGY.
24
p.25
© 2011, Carestream Health
A New Delivery Model for Software Cloud-based Services
Ownership Usage
Do-it-Yourself Service Level Agreement
Cloud-based Access
Point-to-Point Access
25
A Portfolio of Innovative Cloud Services
Vue Cloud by Carestream
Collaboration-as-a-Service
Teleradiology-as-a-Service
Cloud Portal
PACS -as-a-Service
Archive-as-a-Service
Regional Hospital
Physician’s Office
Reading Center
Rural Clinic
University Hospital
26
No change Vendor Neutral Infrastructure
Hospital
Physician’s Office
Carestream’s Responsibility Customer’s Responsibility
Service Boundary
Virtual Private Network (VPN)
Cloud Portal
Carestream Service Access
Point (local cache adapted
to needs)
Remote monitoring 24 X 7
Vue Cloud Platform Operated by Carestream In a Tier -3 Data Center
• Active Archive • Disaster Recovery • Unlimited retention
Vue Cloud By Carestream
DICOM [PACS, modalities]
Local Access (LAN)
HL7 [RIS, HIS]
IHE XDS-i [ECG, jpg, mpg
pdf]
Remote Secure Access
27
No change Vendor Neutral Infrastructure
Hospital
Carestream’s Responsibility Customer’s Responsibility
Service Boundary
Virtual Private Network (VPN)
Cloud Portal
Service Access Point
(local cache adapted to needs)
Remote monitoring 24 X 7
Vue Cloud Platform Operated by Carestream In a Tier -3 Data Center
DICOM [PACS, modalities]
Local Access (LAN)
HL7 [RIS, HIS]
IHE XDS-i [ECG, jpg, mpg
pdf]
Remote Secure Access
Behind the Cloud
Cloud Services Platform
Vue Cloud By Carestream
Application Servers
User Mgt Statistic Reporting
Audit & Security
Proactive Monitoring
Database Servers
Primary copy
Disaster Recovery copy
DMZ
28
Tufts Medical Center, Boston
Long Beach Memorial, CA
CHR Orleans, France
Nij Smellighen, Netherlands
Schwarzer Baer, Hannover
CMS Tokyo Group
Vue Cloud A Proven Global Platform
29
p.30
© 2011, Carestream Health
Community Hospital Going Cloud Archive
Customer Profile
• Busy 200 bed community Hospital
• Doing over 200,000 Diagnostic Radiology Studies per year
• Needed increased IT infrastructure for medical imaging
• Needed additional IT staff
• Wanted archive solution that was vendor neutral
• Wanted simple yet effective Disaster Recovery
Achievements
• Decided to subscribe to Vue Cloud Archive Service in 2007
• Currently have over 25TB stored in Carestream Cloud
• Currently have approx 1,000,000 studies stored in Carestream Cloud
• All images stored are in a standard DICOM Vendor Neutral Format
Long Beach Memorial Medical Center, Long Beach CA
Back
30
p.31
© 2011, Carestream Health
Teleradiology Services
Customer Profile
• 1st Private Teleradiology Service Provider in France
• Delivering on call reading services to independant hospitals, for emergency cases, outside business hours
• Growing rapidly, and therefore need scalable and vendor-neutral infrastructure to connect its clients and radiologists
Achievements
• Partnering with Actibase to deliver a teleradiology infrastructure as a service
• Grown from 1 hospital to currently 12 connected to the service in 18 months, all being widely dispersed across France
• Reading Center located in Lyon gets on-call studies automatically pushed from any customer locations
• Planning to connect 3 additional hospitals in coming quarter
Imadis, France http://www.imadis.fr/
31
p.32
© 2011, Carestream Health
Image Exchange Across A Community
Customer Profile
• Multiple independent hospitals & private imaging centers members of RHIO covering the Rochester County
• Looking at exchanging patient history available from other institutions to reduce retakes and improve quality of care
Achievements
• Partnering with Axolotl and eHealth Global Technologies to deliver an image exchange infrastructure as a service
• 8 Rochester healthcare institutions connected to the service
– 35,000 studies collected every month
– Hosted in CARESTREAM data center in Rochester (Frontier)
– Meta-data consolidated and images kept on-line for 2 months
– Radiology studies available on-demand from any institution
Rochester RHIO, New York, US
Back http://www.grrhio.org/
32
p.33
© 2011, Carestream Health
National Diagnostic Services
Customer Profile
• 39 hospitals across 16 health boards with legacy IT environment
• 3 millions studies per year, approx 120 TB
• 8,000 users across 2,000 wards
• Limited IT skilled within NSS
Achievements
• Private cloud with PACS/RIS/Archive (4 yrs)
• 2 fully redundant data centers with hot fail-over integrated to National EMPI
• Priors automatically pulled out of the national patient imaging record
• Radiology from multiple hospitals acting as a single department
Achievements
• Partnering with Actibase to deliver a teleradiology infrastructure as a service
• Grown from 1 hospital to currently 12 connected to the service in 18 months, all being widely dispersed across France
• Reading Center located in Lyon gets on-call studies automatically pushed from any customer locations
• Planning to connect 3 additional hospitals in coming quarter
National Radiology System, Scotland
33
© 2011, Carestream Health
Benefits of Vue Cloud Services
PERFORMANCE Your contract defines all the services we will provide, including availability, performance, data restitution and regular reports on usage and activity
SCALABILITY Add and remove data, users, sites, and tools freely as your workload ebbs and flows – without giving up any functionality
PREDICTABILITY Predictable total cost of ownership – eliminate unexpected costs from outdated internal support systems
RELIABILITY 24x7x365 proactive monitoring and remote support to provide guaranteed uptime on standardized tested platform
SECURITY Increased quality and security – leave IT to an expert team and redirect your time, money and resources toward core competencies
CONTROL Carestream follows the precise directions of your designated internal expert – and you always own your data
34
Vue Cloud Community Connect + Collaborate
Imaging Center
Town Hospital
University Hospital
Radiologist
Referring Physician
Expert
Rural Clinic
Shared Data
Shared Workflow
Teleradiology
Share Expertise
Consultation
35
Cloud Delivers Integrated Diagnostics at the Point of Care
36
p.37
© 2011, Carestream Health
Patient Portal Search Screen
37
p.38
© 2011, Carestream Health 38
p.39
© 2011, Carestream Health 39
Coming soon: MyVue, a Portal for Patients
Patient completes exam
Patient receives email from
hospital staff
Checks out with Imaging Admin
Patient shares results with specialists
Logs on with info from email
Patient owns his imaging record, shares on-demand
when needed
Continues with own treatment/care
• Consent Management • Security / Sharing protocols • Unlimited expansion • EHR Patient Portal Services
Hospital Ownership:
40
p.41
© 2011, Carestream Health
41
p.42
© 2011, Carestream Health 42
p.43
© 2011, Carestream Health 43
p.44
© 2011, Carestream Health
44
p.45
© 2011, Carestream Health
45
p.46
© 2011, Carestream Health
46
p.47
© 2011, Carestream Health
47
p.48
© 2011, Carestream Health
48
p.49
© 2011, Carestream Health
More on www.carestream.com/cloud 49
Summary
• Overcome scarcity by leveraging expertise and capacity in the cloud
• Focus on innovation, rely on the ecosystem for services outside your core competency
• Adopt standards and best practices leveraging worldwide models
50
Additional Sources of Information:
51
• Intel® Cloud Builders • Open Data Center Alliance (ODCA) • Cloud Security Alliance (CSA) • European Network and Information Security Agency (ENISA) • Healthcare Blogs – Intel® Healthcare IT Professionals • Whitepapers
– CARESTREAM* Increasing the Scalability of Medical Imaging Solutions – Secure Healthcare Cloud (TXT whitepaper) – VMware* and Intel® 10GbE Best Practices – Securing the Enterprise with Intel® AES-NI – Enhanced Cloud Security with HyTrust* & VMware*
– Taking Control of the Cloud for your Enterprise – Unified Networking with Cisco* Virtualized Multi-Tenant Data Center*
• Videos – Cloud Security: Built from the Ground Up – Trusted Execution Technology – Virtualization Demo/Animation – CARESTREAM* SuperPACS™ architecture at Clalit Health Services
• Intel® Virtualization Technology (Intel® VT) – Provides flexibility and maximum system utilization by consolidating multiple environments into a single server, workstation, or PC
• Intel® vPro™ Technology – Designed specifically for the needs of business, notebooks and desktops with Intel® vPro™ technology have security and manageability built right into the chip
• Intel® Trusted Execution Technology (Intel® TXT) – Protect confidentiality and integrity of business data against software-based attacks.
• Intel® Anti-Theft Technology (Intel® AT) – Providing the option to activate hardware-based client-side intelligence to secure the PC and its data in the event the notebook is lost or stolen
• Intel® AES New Instructions (Intel® AES-NI) – The Advanced Encryption Standard (AES) algorithm is now widely used across the software ecosystem to protect network traffic, personal data, and corporate IT infrastructures
• Intel® Identity Protection Technology (Intel® IPT) – Two-factor authentication directly into the processors of select 2nd generation Intel® Core™ processor-based PCs
• Intel® Cloud Access 360 – Protection Enterprise Access to Cloud and Protecting Enterprise Applications in the Cloud
• Intel® Expressway Service Gateway – High performance security, xml acceleration and routing. Cross-domain service mediation, threat prevention, policy enforcement. Interoperable ESB gateway
• McAfee Cloud Security Platform* – Consistent security policies, reporting, and threat intelligence across all cloud traffic—now available from a single platform
• Intel® Scale-out Storage – Tackle your data center’s challenges with enterprise storage solutions powered by the world’s most advanced multi-core architecture
• Intel® Solid State Drives – High performance, Self-Encrypting Solid State Drives for protecting sensitive data at rest
• Intel Unified Networking – Unified Networking enables cost-effective connectivity to the LAN and the SAN on the same Ethernet fabric
Intel Technologies
52